Talha Tariq

@Menjometre @rauchg Hi, can you try logging in via email instead of Github ?

@rauchg We can't access the dashboard yet 👀

🚨 ÚLTIMA HORA 🚨 Vercel ens ha tancat el compte on teníem allotjada la web. Algú ha "reportat" la nostra plataforma a Vercel. Segons ells, l'ús que fa Menjometre va en contra de les Directrius d'Ús Just i/o els Termes del Servei. Migrarem a un nou proveïdor de serveis.

Today we partnered with Meta to disclose a critical vulnerability in React Server Components, impacting Next.js. Huge credit to Lachlan Davidson for responsibly reporting this to Meta and to our industry partners for responding quickly to our call-to-action. This is how open source security is supposed to be: responsible disclosure, fast mobilization, and close collaboration. Within 72 hours, we patched React, shipped WAF mitigations for all Vercel customers, and coordinated major cloud and security providers to protect their customers in the same way. The united response across the ecosystem has been incredible. AWS, Microsoft, Cloudflare, Fastly, Akamai, F5, Google, Deno, Netlify, Railway, Fly, and others moved quickly with platform protections and clear guidance to their customers. As a reminder, if you’re running Next.js 15 or 16, please upgrade immediately to 15.5.7 or 16.0.7. Vercel customers have platform-level protections, but upgrading is still a must. Ref: vercel.com/changelog/cve-…

We’ve got confirmation of a working #react2shell POC being shared. We’ve verified Vercel’s Web Application Firewall is successfully blocking this known variant. We are also seeing bad actors attempt exploitation. Upgrading React & frameworks remains a top priority.

Loved speaking with Mandy Andress from @elastic, Mario Duarte, from @SnowflakeDB, and Talha Tariq (@0xtbt) from @HashiCorp about their journies from private to public. @iconbuzz

@JohnTreadway @armon @QuinnyPig @HashiCorp we do have quiet a bit of automation. There are some manual verification checks that are done by human analysts

@0xtbt @armon @QuinnyPig @HashiCorp I saw the privacy policy. I just don’t know how you manage account closing and deleting all user data without automation given your size and scale.

"You must contact us to close your account" is a dark pattern; sad to see @HashiCorp using it.

@JohnTreadway @armon @QuinnyPig @HashiCorp We do. Our privacy policy covers this and here is the direct link to request data download or deletion of your personal data privacy.hashicorp.com/privacy

@armon @QuinnyPig @HashiCorp @QuinnyPig said “close,” not downgrade. Close - as in delete account, scripts and all data. Would like to hear from @0xtbt if $hcp complies with GDPR and other regs re not retaining user data after account is closed given the lack of automation for this process.

How Drift Detection Helps Maintain a Secure Infrastructure hashicorp.com/blog/how-drift… from @HashiCorp by @0xtbt

We just released our second annual HashiCorp State of Cloud Strategy Survey, with some interesting insight into what enterprises are doing in the cloud. 1/10

@Joseph_Marks_ Basic cybersecurity hygiene matters, ransomware and extortion targets are more than just about money, public and private sector threat information sharing needs to be stronger and supply chain security needs to be top of mind for critical infrastructure

The Colonial pipeline ransomware attack’s first anniversary is Saturday. How has the world changed? What are the lessons? Share thoughts here for the Cybersecurity 202.

We're thrilled to welcome Talha Tariq (@0xtbt) to our CISO Advisory Board. Talha is the Chief Security Officer at @HashiCorp. He brings 20 years of experience building & scaling security programs from startups to Fortune 100 organizations. Give Talha a warm welcome!

Oregon is beautiful!

@nomadlogicLA @ryanaraine as mentioned in our disclosure there is no evidence of any malicious change or abuse, our key rotation is a proactive measure

HashiCorp has confirmed it is a victim of the Codecov supply chain attack The GPG private key used to sign hashes to validate product downloads was exposed discuss.hashicorp.com/t/hcsec-2021-1…

@christophetd @armon @HashiCorp @mitchellh The existing .sig files are currently being left as-is to preserve working behavior on existing Terraform releases. We're in the process of producing patch releases for Terraform which will verify against the new key.

@christophetd @armon @HashiCorp @mitchellh All Terraform binary and provider releases have been signed by the rotated key - those signatures are available at the extension SHA256SUMS.72D7468F.sig

HCSEC-2021-12: Hashicorp's signing key was compromised as part of the codecov incident. discuss.hashicorp.com/t/hcsec-2021-1…

@reneeshah123 @chenxiwang

Who are the best female angel investors for infrastructure? If they've built complex distributed systems, even better. Thank you 🥂

We’re excited to announce that Talha Tariq @0xtbt is our day 1 KEYNOTE for SANS #CloudSecNextSummit! Join Summit chairs @fykim & @emjohn20 for expert talks on building and maintaining a secure cloud infrastructure. Register for Free: sans.org/u/1acC

@tomloverro Oh I had no idea - stay blessed and stay healthy ! This world needs people like you

11 years ago I was diagnosed with a serious form of cancer and was unsure if I’d have a career or family or, frankly, live. I feel blessed to be alive today and have found personal happiness and a fostering professional environment.

Join us tomorrow for the Nomad 1.0 launch live stream hashi.co/3lZiBeb Until then the Path to 1.0 continues w/ @KentGruber previewing a new feature. Product security is an important aspect of #Nomad, so we'll introduce a feature to help w/ audits hashi.co/2IXsSJl

@jefferai @ppacent I can’t wait for redacted !

Can't wait to talk about Redacted with @ppacent! Join us if you want to hear all about Redacted!

Continuously amazed at the scale of infrastructure. Here managing 300 million secret requests per day. #Vault